Mountain Lion 10.8.2 memory read issue

[xillwillx]

using firewire from backtrack machine to macosx, not reading the memory just showing all 0's until it gets to 100% and fails. using a 6pin to 9pin mac adapter , but not sure if the adapter is the issue http://www.firewire.co.uk/img/visionaer-firewire-400-to-800-adapter-6-pin-female-to-9-pin-male-fw-800-connector-compact_4910_500.jpg it looks like this

tested on mac 10.6.8 (had to upgrade from default 10.6 install) with no issues and win7 32x with no issues with straight firewire 4pin and 6pin

[carmaa]

Are you using the latest macbook pro as a target, by any chance?

[xillwillx]

Yes

[carmaa]

Interesting. I know that Vt-d supposedly has been introduced in those models on 10.8.1/2, but since I don't own one myself (and I'm a bit hesitant to test this out in the Apple Store :D) I have been unable to test.

If this is due to Vt-d, there's no known way around it, unfortunately (or fortunately).

[xillwillx]

but Vt-d has been around as long as the firewire hack, are they finally implementing something in the hardware to block this or did 10.8.2 change something, didnt have an older machine with 10.8.2 on it to test

[carmaa]

Vt-d needs both hardware and OS support. I know that Vt-d is present in the sandy bridge chipset, and I've seen indications that it is implemented at the OS level in 10.8.1/2. So yeah, that may be what's happening.

[xillwillx]

Available for: OS X Lion v10.7 and v10.7.1, OS X Lion Server v10.7 and v10.7.1 Impact: A person with physical access may be able to access the user's password Description: A logic error in the kernel's DMA protection permitted firewire DMA at loginwindow, boot, and shutdown, although not at screen lock. This update addresses the issue by preventing firewire DMA at all states where the user is not logged in. CVE-ID CVE-2011-3215 : Passware, Inc

fixed as of october last year? 10.7.2, screen lock puts firewire into emulation mode, which protects against DMA attacks.

[carmaa]

Ah yeah, read the tool page FAQ and troubleshooting sections. I was assuming that you were trying to get DMA in an unlocked state.

[carmaa]

Can you try running the tool with -v against the mbp when it is unlocked and see if you get DMA?

[xillwillx]

unlocked it finds the signature, but even though it says its patched , it wont bypass the password if i lock it afterwards

[] Initializing bus and enabling SBP-2, please wait 1 seconds or press Ctrl+C [] DMA shields should be down by now. Attacking... [=> ] 147 MiB ( 4%) {0000000000000000} [] Signature found at 0x93e7334 (in page # 37863) [] Data read back: 0xb001 [] Write-back verified; patching successful [] BRRRRRRRAAAAAWWWWRWRRRMRMRMMRMRMMMMM!!!

[carmaa]

Did you try a non-blank password?

[carmaa]

Bump. I'm going to close this issue unless I receive a response :)

[peponi]

Dear Carsten Maartmann-Moe,

The email sent to mail@peponi.tk with subject "Re: [inception] Mountain Lion 10.8.2 memory read issue (#74)" will be delivered as soon as possible.

Your email address is automatically added to the recipients 'whitelist'. This means for further emails to mail@peponi.tk, you will not receive a delivery notification again.

TK MAILIAS

---

Looking for a way to Protect Your Identity and for a great no-more-spam solution for your email address reply@reply.github.com? Sign up for TK Mailias.

It's free! Please visit http://www.mail.tk/

[xillwillx]

havent had a chance to test it , I dont own a macbook so I only get to test it if the other guy is @ my hackerspace, currently i was testing out ramdump.py and the forensic1394 libs borked the inception install. I havent had a chance to figure it out yet. Ill see what I can do tomorrow

[carmaa]

Closing this as hardware issue.

[carmaa]

Reopening this as I've had other reports describing this issue.